How to use implement an authentication replacement workflow in an app?

[jerrac]

Hey all,

I've been wanting to implement Vault (now OpenBao) for a long time, but only recently have been able to start the process. I currently have a test cluster up and running, but I'm not quite finding the right search terms or docs to really understand how to implement things. I just don't know my way around the community yet. So, while I'm sure this question is answered somewhere, in all or in parts, I haven't found that answer yet. :\

To explain my title question a bit better, I want my authentication method between my app and OpenBao to be replaced, not just renewed. So if I use a token, I'd get a brand new token from OpenBao right before the old one expires. And then my app would use that token to access the database/kv/etc. secrets it needs to do what it does.

The idea is that all the secrets for my app should rotate frequently. Right now I'm not figuring out how to make the "App to OpenBao" secret rotate.

My thought was that it would look something like the following for a MariaDB based app:

• Get MariaDB configured so that OpenBao can do what it needs. (I see the docs on this, and I'll figure it out.)
• Add a token with the appropriate policy that gives it access to the database credentials for my app.
• Configure my app to update the db credentials when needed using that token.
• Configure my app so that it will automatically update to a new token before the old token expires.

Where I'm stuck is on how to replace that initial token with something new. I see that tokens have a max ttl, and that ttl applies to all child tokens. Which means that if I create an initial token and give it to my app to use, then that token can only create new tokens that live as long as it lives. I also see that I can renew a token lease until we hit the max ttl, but that means the token itself doesn't get replaced until the ttl ends, and then I have to in and give the app a new token myself.

I also see AppRole is an option. But it looks like it works by using an role id and secret id, then creating a token. Which leads back to my previous issues...

Anyway, I am working through the official docs, and I've been searching for Vault based articles, so maybe I'll figure it out. In the meantime, hopefully my question is somewhat clear, and maybe someone could point me in the right direction. I'd really appreciate that.

Thanks!

[jerrac]

Where I'm stuck is on how to replace that initial token with something new.
So, to answer my own question a bit. I realized this is effectively the same as a periodic token.

I'm not sure that answers my entire question, but it's progress.

[cipherboy]

\o hey @jerrac sorry about the delay. :-)

I'd suggest taking a look at the Vault tutorials. For licensing reasons, we were not able to fork these, but they should still largely be relevant.

To answer this:

Add a token with the appropriate policy that gives it access to the database credentials for my app.

Typically you'd use an auth method, perhaps tied to your platform. So if you were running on Kubernetes, you'd use https://openbao.org/docs/auth/kubernetes/. Or perhaps from GitLab CI pipelines or GitHub Actions, you'd use JWT auth against their provided ID token: https://openbao.org/docs/auth/jwt/. Maybe you have a TPM and can securely provision a certificate key into it, so you'd do TLS mutual auth: https://openbao.org/docs/auth/cert/. &c. There's more plugins in the ecosystem (AWS, GCP, ... &c) but some of these haven't yet been forked, just lacking a bit of time and maintainer interest in doing so. :-)

You would then issue a login request with this authentication information and OpenBao would provision a token (that expires still, so you'd have to re-login or renew it) that your app would use for subsequent requests.

Sometimes you'd prefer your app doesn't handle this at all, so you'd use auto-authing proxy -- then your app would "just" make OpenBao requests (to the proxy) and the proxy would handle the details of authentication.

Hope that helps!

[jerrac]

Can I ask about why you would use a third party for authentication instead of just going directly to OpenBao? I'd think that'd add some extra attack surface?

I'd use GitLab CI, but it looks like you need a subscription. https://docs.gitlab.com/ee/ci/secrets/hashicorp_vault.html We're running the CE version internally. Tried to buy it once, they are not priced for underfunded public college IT departments...

My current thought is to issue a token that I give to GitLab CI via a variable, then my GitLab deployment jobs would issue the periodic token to the apps so the apps can then renew that token. Or something like that.

Anyway, no worries about the delay, it's an open source project, I never get fussy about that kind of thing when people are volunteering their time. :) Plus, my project is not moving anywhere as quickly as we really should move it... So thanks for the reply!

[cipherboy]

@jerrac think of tokens like a post-authentication session identifier. You can pass around handles to your sessions anywhere you want to, but this isn't an ideal thing to do. You can either issue a token via an admin token or you can more easily acquire one by using an auth method.

For native authentication methods, OpenBao has AppRole (for machine identity) and Userpass (for human identity). If you're using a platform that provides identity, the benefit of using it is that it is easier for developers. They already have that source (whose rotation is managed for them) and so don't need to manage rotating the (e.g.) AppRole secret.